Cybersecurity certification schemes backed by MEPs

Out-Law News | 15 Mar 2019 | 9:47 am | 2 min. read

Businesses could in future be forced to ensure their products, services or processes meet specified cybersecurity standards under proposed new EU rules that have been formally approved by the European Parliament.

The draft new information and communications technology cybersecurity certification Regulation, colloquially known as the EU Cybersecurity Act, received the overwhelming support of MEPs in a vote held earlier this week.

According to the proposed new rules, cybersecurity standards could be mandated for certain ICT products, services and processes before the end of 2023.

The Regulation points to an evolving framework of cybersecurity certifications which would initially be voluntary in nature, and which provide for both third party certification and the possibility for "conformity self-assessment".

According to the proposed new Regulation, the European Commission would first develop a "rolling work programme for European cybersecurity certification", the first iteration of which would need to be published within a year of the new rules coming into force.

The work programme would "identify strategic priorities for future European cybersecurity certification schemes" and "include a list of ICT products, ICT services and ICT processes or categories thereof that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme". Specific criteria are contained in the draft Regulation which would shape the Commission's decisions to include ICT products, services and processes on its list.

The rules envisage the Commission asking the EU Agency for Network and Information Security (ENISA) to subsequently prepare a European cybersecurity certification scheme in line with the Regulation. This means, among other things, that it would be up to ENISA to ensure the schemes meet listed security objectives and further conform to at least one of the assurance levels that the rules provide for.

Certification schemes could specify 'basic', 'substantial' and/or 'high' assurance levels. The security requirements and functionalities would differ depending on the level of assurance that ICT products, services or processes would be striving to provide.

In short, though, to achieve the 'basic' level of assurance, the products, services or processes would need to "have been evaluated at a level intended to minimise the known basic risks of incidents and cyberattacks". The evaluation would need to at least involve "a review of technical documentation".

The 'substantial' standard requires the products, services or processes to "have been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources". The evaluation process would stiffer than under the 'basic' standard and must involve, among other things, testing of the security functionalities.

Achieving a 'high' level of assurance will require products, services or processes to "have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources". Again, the requirements of evaluation would be tougher, with penetration testing required to be undertaken as part of an assessment of resistance to "skilled attackers".

Initially European cybersecurity certification schemes would be voluntary, but under the proposed new rules the European Commission would be required to assess whether any of the schemes should be made mandatory in EU law. The Commission must carry out its first assessment of this kind before the end of 2023 and at least every two years thereafter.

The rules backed by MEPs need to be approved in a vote of the Council of Ministers also if they are to become EU law. The Council is the EU's other law-making body and is made up of representatives from the governments of EU countries. The Council and the European Parliament previously informally agreed on the wording of the new rules.

The European Parliament's rapporteur on the reforms, German MEP Angelika Niebler, said: "This significant success will enable the EU to keep up with security risks in the digital world for years to come. The legislation is a cornerstone for Europe to become a global player in cybersecurity. Consumers, as well as the industry, need to be able to trust in IT-solutions."

The European Parliament separately on Tuesday adopted a non-binding resolution which called for EU action to address "security threats connected with the rising Chinese technological presence in the EU".